{{Warning|The {{ic|nft -f}} command, despite what the [http://people.netfilter.org/wiki-nftables/index.php/Atomic_rule_replacement netfilter wiki] says, is '''NOT''' atomic. This means you will have a small window between deleting the old tables and when the new ruleset is loaded where all packets will be accepted.}}

+

{{Note|You must delete all conflicting tables before using the {{ic|nft -f}} command.}}

File definitions can be used by the {{ic|nft -f}} command, which acts like the {{ic|iptables-restore}} command.

File definitions can be used by the {{ic|nft -f}} command, which acts like the {{ic|iptables-restore}} command.

{{hc|/etc/nftables/filter.rules|2=

{{hc|/etc/nftables/filter.rules|2=

Revision as of 04:54, 28 January 2014

nftables is a netfilter project that aims to replace the existing ip-, ip6-, arp-, and ebtables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for ip- and ip6tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.

The first release is available in Linux 3.13, which is currently in the [testing] repository (linux), and nftables (the user-space components) is available in the [community-testing] repository (nftables), and on the AUR in package nftables-gitAUR.

This article or section needs expansion.

Reason: nftables is an entirely new utility, and lacks sufficient documentation on this wiki, as well as elsewhere. (Discuss in Talk:Nftables#)

Overview

nftables consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end. The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation using a small classification language interpreter. libnl contains the low-level functions for communicating with the kernel; the nftables front-end is what the user interacts with.

nft

nftables' user-space utility nft now performs most of the rule-set evaluation before handing rule-sets to the kernel. Because of this, nftables provides no default tables or chains; although, a user can emulate an iptables-like setup.

It works in a fashion similar to ifconfig or iproute2. The commands are a long, structured sequence rather than using argument switches like in iptables. For example:

nft add rule ip6 filter input ip saddr ::1 accept

add is the command. rule is a subcommand of add. ip6 is an argument of rule, telling it to use the ip6 family. filter and input are arguments of rule specifying the table and chain to use, respectively. The rest that follows is a rule definition, which includes matches (ip), their parameters (saddr), parameter arguments (::1), and jumps (accept).

Tables

The purpose of tables is to hold chains. Unlike tables in iptables, there are no built-in tables in nftables. Tables can have one of four families specified, which unifies the various iptables utilities into one:

ip (iptables)

ip6 (ip6tables)

arp (arptables)

bridge (ebtables)

ip is the default family.
A fifth family is scheduled for Linux 3.15 that allows for the unification of the ip and ip6 families to make defining rules for both easier.

Listing

You can list the current tables in a family with the nft list command.

# nft list tables
# nft list tables ip6

You can list a full table definition by specifying a table name:

# nft list table foo
# nft list table ip6 foo

Creation

Tables can be added via two commands — one just being a shortcut for the other. Here is an example of how to add an ip table called foo and an ip6 table called foo:

# nft add table foo
# nft table ip6 foo

You can have two tables with the same name as long as they are in different families.

Deletion

Tables can only be deleted if there are no chains in them.

# nft delete table foo
# nft delete table ip6 foo

Chains

The purpose of chains is to hold rules. Unlike chains in iptables, there are no built-in chains in nftables. This means that if no chain uses any types or hooks in the netfilter framework, packets that would flow through those chains will not be touched by nftables, unlike iptables.

Listing

You can list the current chains in a chain with the nft list command, using the same method as listing a table. You can also list rules from an individual chain.

# nft list chain foo bar
# nft list chain ip6 foo bar

These commands will list the bar chains in the ip and ip6 foo tables.

Creation

Chains can be added when a table is created in a file definition or one at time via the nfc add chain command.

# nft add chain foo bar
# nft add chain ip6 foo bar

These commands will add a chain called bar to the ip and ip6 foo tables.

Properties

Because nftables has no built-in chains, it allows chains to access certain features of the netfilter framework.

# nft add chain filter input { type filter hook input priority 0; }

This command tells nftables to add a chain called input to the filter table and defines its type, hook, and priority. These properties essentially replace the built-in tables and chains in iptables.

Types

There are three types a chain can have and they correspond to the tables used in iptables:

filter

nat

route (mangle)

Hooks

There are five hooks a chain can use and they correspond to the chains used in iptables:

input

output

forward

prerouting

postrouting

Priorities

Priorities tell nftables which chains packets should pass through first. They are integers, with the highest priority being 0 and lower ones being negative numbers.

Deletion

Chains can only be deleted if there are no rules in them.

# nft delete chain foo bar
# nft delete chain ip6 foo bar

These commands delete the bar chains from the ip and ip6 foo tables.

Rules

The purpose of rules is to identify packets (match) and carry out tasks (jump). Like in iptables, there are various matches and jumps available, though not all of them are feature-complete in nftables.

Listing

You can list the current rules in a table with the nft list command, using the same method as listing a table. You can also list rules from an individual chain.

# nft list chain foo bar
# nft list chain ip6 foo bar

These commands will list the rules in the bar chains in the ip and ip6 foo tables.

Creation

Rules can be added when a table is created in a file definition or one at time via the nfc add rule command.

These commands will add a rule to the bar chains in the ip and ip6 foo tables that matches an ip packet when its saddr (source address) is 127.0.0.1 (IPv4) or ::1 (IPv6) and accepts those packets.

Matches

There are various matches available in nftables and, for the most part, coincide with their iptables counterparts. The most noticeable difference is that there are no generic or implicit matches anymore. A generic match was one that was always available, such as --protocol or --source. Implicit matches were protocol-specific, such as --sport when a packet was determined to be TCP.

The following is an incomplete list of the matches available:

meta (meta properties, e.g. interfaces)

icmp (ICMP protocol)

icmpv6 (ICMPv6 protocol)

ip* (IP protocol)

ip6* (IPv6 protocol)

tcp* (TCP protocol)

udp* (UDP protocol)

sctp* (SCTP protocol)

ct (connection tracking)

The ones marked with an asterisk (*) can be used as a standalone match, similar to using --protocol. The others require arguments.

The first command flushes all of the chains in the ip foo table. The second flushes the bar chain in the ip foo table. The third deletes all of the rules in bar chain in the ip6 foo table.

File Definitions

Warning: The nft -f command, despite what the netfilter wiki says, is NOT atomic. This means you will have a small window between deleting the old tables and when the new ruleset is loaded where all packets will be accepted.

Note: You must delete all conflicting tables before using the nft -f command.

File definitions can be used by the nft -f command, which acts like the iptables-restore command.